Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitcoin Miner/Botnet - Need to make sure


  • This topic is locked This topic is locked
7 replies to this topic

#1 CloseToHome

CloseToHome

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 07 January 2018 - 03:48 AM

Greeting Bleeping Computer!
 
Just a few minutes ago while searching on Google, it suddenly jumped to "https://ipv4.google.com/sorry/" page. After researching about this, Google seemed to detect unusual activity from my network. Furthermore, many people have said it could be caused by a host piece of malware that is doing that to me. My laptop currently runs fine, but I'm afraid I could be infected! I would appreciate it if anyone could help me check if there's anything suspicious on my device.
 
To start off, I did the FRST scan and my logs are attached.

 

Thanks again.

Attached Files



BC AdBot (Login to Remove)

 


#2 sasschary

sasschary

  • Malware Study Hall Senior
  • 782 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:12:29 PM

Posted 07 January 2018 - 04:11 PM

Hi, CloseToHome,

My name is Zach, and, though I generally go by Sasschary, you may call me whatever you want. I will be helping you get your computer working again. Please give me a little bit to look over the logs you posted, and I will post back here again as soon as I can.

Also, please be aware that I am currently in training, so all of my posts need to be reviewed before you can see them. As such, it may take a day or two for me to post my replies.

Sincerely,
Sasschary



#3 CloseToHome

CloseToHome
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 07 January 2018 - 04:56 PM

Hi, CloseToHome,

My name is Zach, and, though I generally go by Sasschary, you may call me whatever you want. I will be helping you get your computer working again. Please give me a little bit to look over the logs you posted, and I will post back here again as soon as I can.

Also, please be aware that I am currently in training, so all of my posts need to be reviewed before you can see them. As such, it may take a day or two for me to post my replies.

Sincerely,
Sasschary

No problem. Thank you for taking your time to help me. I really appreciate it!



#4 sasschary

sasschary

  • Malware Study Hall Senior
  • 782 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:12:29 PM

Posted 09 January 2018 - 05:09 PM

Hi, CloseToHome,

 

My apologies for not having responded yet. I have finished my analysis of your logs, but I am still waiting for an instructor to review my work.

 

Sasschary



#5 CloseToHome

CloseToHome
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 09 January 2018 - 05:31 PM

Hi, CloseToHome,

 

My apologies for not having responded yet. I have finished my analysis of your logs, but I am still waiting for an instructor to review my work.

 

Sasschary

That is fine, thank you



#6 sasschary

sasschary

  • Malware Study Hall Senior
  • 782 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:12:29 PM

Posted 10 January 2018 - 08:27 AM

Hi CloseToHome,

As I said earlier, I go by Sasschary, but you can call me whatever you want  :) I will be working with you to get your computer working again.

I will do my best to get your computer up and running as quickly as possible! However, there are a few things which I will need you to do if we want this process to go smoothly:

  • I need your system to stay in the state that it is at the last time I give you instructions. In other words, please do not do anything to your computer unless I have instructed you to do so.
  • If you do not understand an instruction, please stop immediately and tell me what you do not understand.
  • If there is something which seems to be working improperly, please stop and tell me what has happened.

Now that we've got that settled, let's get started...

I believe the Google page you saw may be a fluke. This could happen if you are using a dynamic IP address, especially if you are not signed in to Google. Has this been a recurring event, or did it only happen once?

You also have a Firefox extension called Pioneer Enrollment installed. Do you recognize this? If you do not, I suggest removing it, as it collects potentially sensitive information from your browsing. I can give you instructions on how to remove this extension if you would like.

It looks like you have some P2P software installed on your computer.

P2P programs have a high risk of bringing infection. Stay away from them if it all possible, especially if you are downloading illegal software/music/movies/etc. Not only are these areas very large targets for malware authors, they are also what they say in the name: Illegal. I ask, although I will not require, that you remove this software before continuing. At the very least, refrain from using it until we are done working on your computer. If you have any pirated software, I ask you to remove that as well. If you need any help removing these programs, I can help you with that.

Let's run a scan using ESET's Online Scanner

  • Disable your current antivirus software. If you need help with this, please ask me for assistance before continuing.
  • Click Scan Now from here and save the file to your desktop.
  • On your desktop, right click the ESET file you just downloaded and click Run as Administrator.
  • If a User Account Control dialog box opens, click Yes to allow ESET to run.
  • When the scanner opens, clieck Accept.
  • Click the radio button next to Enable detection of potentially unwanted applications.
  • Click Advanced settings.
  • In the advanced settings section, make sure the following settings are checked and that all others are unchecked.
    • Enable detection of potentially unsafe applications
    • Scan archives
    • Enable Anti-Stealth technology
    • Clean threats automatically
  • Click Scan.
  • Allow the scan to run. After it has completed, if any threats are found, click List Found Threats. If no threats are found, click Finish and skip to step number 14.
  • Click Export.
  • Save the file on your desktop as ESETScan.txt.
  • Click Back and then Finish to close the scanner.
  • Finally, re-enable your antivirus. I can help with this if you need it.

On your desktop, if there were any threats, should be the log that we saved from ESET. Please open it, then copy and paste the contents into your next reply.

In your next reply, please include the following:

  • ESETScan.txt
  • Have you seen the Google page more than once?
  • Do you recognize the Pioneer Enrollment Firefox extension?

sasschary



#7 sasschary

sasschary

  • Malware Study Hall Senior
  • 782 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:12:29 PM

Posted 13 January 2018 - 11:57 AM

Hi, CloseToHome,

 

Are you still with me?

 

Sasschary



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:29 PM

Posted 15 January 2018 - 11:16 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users